From: Roberts, Larry (Larry.Roberts@expanets.com)
Date: Thu Feb 27 2003 - 21:45:04 GMT-3
Question..
Does the username of the devices match the hostname ( hostname is routera,
username routera ) ?
I don't see the templates so I must have missed them somewhere so here is
another question..
Are you sending a username with your chap auth ?
If not here is my thought on why your configuration is working.. I could be
WAY off..
RTRA sees an authentication request from RTRB. It looks in its username list
and sees RTRB with a password of CISCOB.
It uses that in its hash.
RTRB sees an authentication request from RTRA. It looks in its username list
ans sees RTRA with a password of CISCOB ( per your config below )
And uses that for its hash.
Now, if you do a sent-username ( I don't have access to check the exact
syntax right now ) then it would authenticate using the username you
specified.
In your case, the devices are using their hostname as the default username I
suspect, so hence 2 different usernames would have to have the same
password.
Just to check, create a username called "larry" with a password of "iscrazy"
( that's what my wife tells me :) on both devices and use the sent-username
on both chap authentications and see if they work.
If you are using the sent-username then I am crazy..
Thanks
Larry
-----Original Message-----
From: Michael Snyder [mailto:msnyder@revolutioncomputer.com]
Sent: Thursday, February 27, 2003 1:39 PM
To: p729@cox.net
Cc: ccielab@groupstudy.com
Subject: RE: RE: Amazing but true
>In order to derive the same hash, the passwords MUST be the SAME for a
>given username. Don't be fooled by claims of being able to use
different >
>passwords on each end with CHAP
Are you sure were talking about the same thing? My posted template works,
feel free to try both my chap and pap templates.
How do you reconcile your statement with my working config?
Router A
Username A password 0 pass1
Username B password 0 pass2
Router B
Username A password 0 pass2
Username B password 0 pass1
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
p729@cox.net
Sent: Thursday, February 27, 2003 10:44 AM
To: Michael Snyder; 'ccie2be'
Cc: ccielab@groupstudy.com
Subject: Re: RE: Amazing but true
Michael,
With PAP, the password is sent across the wire in plain-text,
effectively: "here is my username and password, authenticate me." The
authenticator simply does a lookup. What's important is the PAP
sent-username and password and the username and password on the
authenticator match. The username and password on the authenticatee (side
requesting to be authenticated is superflurous.
With CHAP, the password itself is never actually sent over the wire, only a
hashed version of it. All the authenticator knows is "who am I
authenticating?" Somehow, the authenticator must derive the same hash that
the authenticatee sent so the results of a comparison will be a match. In
order to derive the same hash, the passwords MUST be the SAME for a given
username. Don't be fooled by claims of being able to use different passwords
on each end with CHAP. In reality, different USERNAMES and passwords are
being used--it's the only way it can work.
Regards,
Mas Kato
https://ecardfile.com/mkato
============================================================
From: "Michael Snyder" <msnyder@revolutioncomputer.com>
Date: 2003/02/26 Wed PM 08:24:45 EST
To: "'ccie2be'" <ccie2be@nyc.rr.com>
CC: <ccielab@groupstudy.com>
Subject: RE: Amazing but true
I've come to conclusion that the number of responses you get from groupstudy
plotted out looks like a bell curve.
The closer you are getting to passing the lab, the number of responses
decreases.
Here's a good example, I asked this last year and never got a reponse.
Why with PAP does the user passwords stay the same on both isdn routers.
Router A
Username A password 0 pass1
Username B password 0 pass2
Router B
Username A password 0 pass1
Username B password 0 pass2
And with CHAP, you transpose the passwords on one of the routers?
Router A
Username A password 0 pass1
Username B password 0 pass2
Router B
Username A password 0 pass2
Username B password 0 pass1
I understand the CHAP and PAP processes, I have watched the debugs many
times.
Still why would cisco program the isdn functionality that you have to change
the user password arrangement depending on chap vs pap?
-----Ori
ginal Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
ccie2be
Sent: Wednesday, February 26, 2003 1:50 PM
To: Group Study
Subject: Amazing but true
Hi everyone,
Over the past few weeks, several times I've posted a question regarding the
two types of care-of-addresses used with Mobile IP. My question concerned
what detemines which type of address is used and whether the type used is
something that's configured on the router or determined by some other means
- perhaps the software installed on the mobile client.
What surprises me though is that there hasn't been one single response! I
don't understand how that could be. I've searched thru both the Group Study
archieves and Cisco's documentation and found nothing addressing this
question. I also know that mobile IP is fair game for the lab, so I'm
amazed that this question continues to go unanswered.
And, though I can't understand why that is I've come up with 2 theories:
a) nobody knows
b) nobody cares
I can't imagine that nobody on groupstudy knows this - this is probably the
most knowledgable group of networking professional in the world - so let's
nix that idea.
Could it be that nobody cares? That's also hard to imagine. Everyday,
questions seemingly far more esoteric are posted and responded to. Besides,
there must be at least a few people who might need to implement Mobile IP in
the near future and they would certainly need to know about this. And, even
if nobody at the moment needed to know about this for work, most people on
group study seemed to be very intellectually curious So, let's nix this
theory as well.
Well, I hope this sparks some discussion, and maybe, in the process,
generates the answer to the original question.
What do you think?
Jim ============================================================
This archive was generated by hypermail 2.1.4 : Sat Mar 01 2003 - 11:06:38 GMT-3